1. No category

The Quadratic Sieve Factoring Algorithm

THE QUADRATIC SIEVE FACTORING ALGORITHM
by
C a r l WMERANCE*
Department of Mathematics
U n i v e r s i t y of Georgia
Athens, Georgia 30602 USA
The q u a d r a t i c sieve a l g o r i t h m i s c u r r e n t l y t h e method of choice t o f a c t o r very
l a r g e composite numbers w i t h no small f a c t o r s . I n t h e hands of t h e Sandia N a t i o n a l
Laboratories team of James Davis and Diane Holdridge, it has held t h e r e c o r d f o r t h e
l a r g e s t hard number f a c t o r e d s i n c e mid-1983. As of t h i s w r i t i n g , t h e l a r g e s t number
it has cracked i s t h e 71 d i g i t number
- 1 ) / 9 , taking
9.5 hours on the C r a y
XMP computer a t Los Alamos, New Mexico. I n t h i s paper I s h a l l g i v e some o f t h e
h i s t o r y of t h i s a l g o r i t h m and a l s o d e s c r i b e some of t h e improvements that have been
suggested f o r it.
KRAITCHIK'S SCHXME
There i s a l a r g e c l a s s of f a c t o r i n g a l g o r i t h m s t h a t share a common strategy.
If
N
i s t h e number t o b e f a c t o r e d , t h e n t h e i d e a is t o multiply congruences
U Z V mod N, where
U #V
and complete o r p a r t i a l f a c t o r i z a t i o n s (depending on t h e
algorithm) have b e e n o b t a i n e d f o r
U and V , so as t o produce a s p e c i a l congruence
X2 EY2 mod N. Then one s t a n d s a good chance t h a t t h e g r e a t e s t common f a c t o r
(X-Y, N), found by E u c l i d ' s a l g o r i t h m , i s a n o n - t r i v i a l f a c t o r o f N . If it i s n o t ,
then another combination o f congruences can be t r i e d . Thus t h e s e algorithms have
several parts :
(1
Generation of t h e congruences
U i V mod N ,
(2)
Determination o f t h e complete o r p a r t i a l f a c t o r i z a t i o n s of
U and
V
for
some of t h e congraences,
(3) Determination o f a s u b s e t o f t h e f a c t o r e d congruences which can b e
m u l t i p l i e d t o produce a s p e c i a l congruence X2 _Y2 mod N ,
( 4 ) Computeticn of
*
(X-Y, N )
supported in p a r t by a g r a n t from t h e National Science Foundation.
T. Beth, N. Cot, and I. Ingemarsson (Eds.): Advances in Cryptology - EUROCRYPT '84, LNCS 209, pp. 169-182, 1985.
0 Springer-Verlag Berlin Heidelberg 1985
170
N =91 and we n o t i c e that
For example, s a y w e try t o f a c t o r
75 z-16, and 64 Z - 2 7 .
81 E-10, 90 % - I ,
Factoring t h e s e numbers completely we have
34 E-2-5,
2-32.5 :-I,
Multiplying t h e l a s t two congruences
3-52 1-2:
, we
26.3.52
and 26 Z-33.
have
-24.33
,
o r c a n c e l l i n g common f a c t o r s ,
22.52
This g i v e s
l o 2 :32 mod 91
~32.
7 = ( 10-3,91). Or we might have m u l t i p l i e d t h e first
and
two congruences, g e t t i n g
22.5 ->36
2.36.5
so
2T2 Z12mod 91
and
51,
13 =(27-1,91).
This g e n e r a l scheme f o r f a c t o r i n g w a s published by Kraitchik C41 i n 1926. The
numbers
U,V
a r e f a c t o r e d i n t o primes except f o r squared f a c t o r s . Since most of
t h e congruences one i s l i k e l y t o g e n e r a t e w i l l not s u c c e s s f u l l y f a c t o r i n S t e p (21,
one's chances a r e enhanced i f one o f
U,V i s arranged t o be a square and t h e o t h e r
has a l a r g e square f a c t o r . I n [51, pp. 26-27, Kraitchik explains how t h i s should be
done. He l e t s
factor
U =x2
where
y2. He can f o r c e
t i c congruence
y2
x
i s c a r e f u l l y chosen so that
t o a p p e a r by choosing
x2 Z B mod y2. However,
V/y2
V =-N+x2
has a l a r g e
as a s o l u t i o n of t h e quadra-
x
need not be s m a l l and so e a s i l y facto-
r a b l e . This method h a s i t s problems.
K r a i t c h i k o p p o r t u n i s t i c a l l y used o t h e r congruences
N
suggested by t h e s p e c i a l form o f
a v a i l a b l e f o r a "random"
i n question
U ZVmod T4
. These congruences would n o t b e
N. I n h i s l a t e r work c51, t h e congruences U
were used t o assist i n f i n d i n g
X and Y
with
that were
X2-Y2
E V mod
B
=N. This i s an o l d f a c t o r i n g
s t r a t e g y t h a t goes back t o Fermat. I t h i n k Kraitchik preferred t h i s method f o r two
reasons. F i r s t , f e w e r congruences
U and V
a r e used. Second, when
of a n o n - t r i v i a l f a c t o r i z a t i o n of
U Z V mod N
X,Y
with m u l t i p l i c a t i v e information about
a r e found w i t h
X2-Y2
=N, one could b e a s s u r e d
N, u n l i k e with t h e o t h e r method where s t e p ( 4 )
may produce a t r i v i a l f a c t o r i z a t i o n . L i t t l e d i d Kraitchik know that h i s l a r g e l y
abandoned method of Froducing "cycles" ( t h e combination o f congruences i n s t e p ( 3 ) )
would be t h e b a s i s of most modern f a c t o r i n g algorithms !
171
THE CONTINUED FRACTION ALGORITHM
Instead of f i n d i n g
U S V mod N
with one o f
U,V
a square and t h e o t h e r d i v i -
s i b l e by a l a r g e s q u a r e factor, a n o t h e r s t r a t e g y might be t o choose one a s q u a r e
and t h e o t h e r smazz i n a b s o l u t e value. It t h u s would more l i k e l y f a c t o r i n s t e p (2).
I n 1931, Lehmer and Powers
of
fi
161 suggested t h e use of tiie continued f r a c t i o n expansion
U Z V mod N i n Kraitchik's scheme. This i s
t o g e n e r a t e t h e congruences
done by a simple r e c u r s i v e procedure t h a t c r e a t e s p a i r s
8, An
where
Q 1 A2 mod N
n
n
lQnl
and
An o l d method o f Legendre a l s o suggested t h e use o f t h e c o n t i n u e d
<2&.
f r a c t i o n expansion o f
fi, b u t
h i s aim w a s t o use t h e congruences ( 1 ) t o f i n d i n f o r -
mod Q
of prime f a c t o r s
n
search, such as t r i a l d i v i s i o n , could be g r e a t l y speeded up
mation on the q u a d r a z i c c h a r a c t e r
p
of
N. Then a d i r e c t
because many p o t e n t i a l
d i v i s o r s would n o t have the proper c h a r a c t e r . I n c o n t r a s t , Lehmer and Powers advocated
m u l t i p l y i n g several congruences of t h e form ( 1 ) t o produce congruent squares.
Morrison and B r i l l h a r t El01 were t h e f i r s t t o t r y t h e continued f r a c t i o n algo-
rithm on a modern computer. I n t h e implementation they made s e v e r a l major improvements and refinements t h a t would be o f use i n any of t h e combination o f congruences
family o f a l g o r i t h m s . F i r s t , t h e y used a ''factor base", o r all of t h e primes t o some
F, t o dermine which o f t h e congruences ( 1 ) were useful. When a congruence ( 1
point
w a s generated, t h e number
(Ln
w a s s u b j e c t e d t o trial d i v i s i o n by t h e primes
p SF.
If a complete f a c t o r i z a t i o n c o u l d be obtained, t h e congruence was kept f o r l a t e r use
-if not, it w a s d i s c a r d e d .
S t e p ( 3 ) of t h e a l g o r i t h m , t h e a c t u a l combination of congruences w a s e f f e c t e d
by a Gaussian e l i m i n a t i o n i n a v e r y l a r g e matrix over
f a c t o r base c o n s i s t s of t h e primes
pl,...,pf,
a
Qn = ( - 1 )
and i f
f
0
Z/2Zm S p e c i f i c a l l y , if t h e
n
a.
pi1
i=l
where t h e
a.
are non-negative
i n t e g e r s , t h e n w e look a t t h e vector
+.
v ( n ) = ( a ,a1
I f we have enough v e c t o r s
,...,
a,) mod 2 .
0
+
d n ) , t h e n Gaussian elimination w i l l produce a l i n e a r
dependency
-+
-t
+
v ( n l ) +.. .+ v ( n ) = 0,
k
so t h a t
Qn
1
Y =A
o q e
"1
A
..*
9-
i s a s q u a r e , say
X2. If we compute
X mod N
and
I
-
L
mod 3, t h e n
nk
X2 3Y2 mod
N
and we a r e ready f o r s t e p ( 4 ) .
172
Another improvement, c a l l e d the " e a r l y a b o r t strategy" w a s described i n c111.
This improvement extended t h e u s e f u l range of t h e continued f r a c t i o n algorithm on
an o r d i n a r y main frame computer by about 10 d i g i t s -from t h e mid 4 0 t s t o t h e mid
(see
50's
C141, C121).
low c o s t processor has been designed by J.W. Smith and
A s p e c i a l purpose,
S.S. Wagstaff, Jr. and b u i l t a t t h e U n i v e r s i t y of Georgia t o implement t h e c o n t i n u e d
f r a c t i o n algorithm w i t h the e a r l y a b o r t s t r a t e g y . It i s designed t o do t h e trial
d i v i s i o n s t e p on a
Q
i n p a r a l l e l ( s e v e r a l t r i a l d i v i s o r s can be t r i e d a t o n c e )
n
and t h e device h a s extended p r e c i s i o n , so that t h i s a r i t h m e t i c done with long i n -
t e g e r s can be done i n single p r e c i s i o n . It should be f u l l y o p e r a t i o n a l soon and w e
await t h e i r r e s u l t s . It -dill probably be somewhat i n f e r i o r t o t h e r e s u l t s produced
by t h e Sandia team, buz+&is should b e weighed by t h e f a c t that t h e c o s t of t h e S m i t k
Wagstaff device i s a b o u t t h r e e o r d e r s o f magnitude l e s s than t h e c o s t o f a Cray
X M P.
THE M I L L E R -WESTERN ALGORITHM
The i s s u e o f Mathematics o f Computation which contains t h e Morrison-Brillhart
Lehmer and h a s many i n t e r e s t i n g a r t i c l e s on computational
paper is d e d i c a t e d t o D.H.
number theory. I n t h i s issue t h e r e i s a n a r t i c l e by J.C.P.
t h a t a l s o u s e s congruences
Miller
[71 on f a c t o r i n g
U 3 V mod N. He a t t r i b u t e s t h e idea t o A.E.
aim is t o f i n d congruences w i t h
U and V
Western. The
completely factored. But r a t h e r t h a n
combine t h e s e congruences t o produce congluent squares, each congruence i s r e a d as
a l i n e a r r e l a t i o n o f i n d i c e s w i t h r e s p e c t t o some p r i m i t i v e r o o t
p
offinding
p
be found with
v i a c r e a t e d congruences o f t h e form
atIq
g
of
p, where
N. When enough congruences can be found t h e r e i s a chance
i s a prime f a c t o r of
$ 1 mod
N, t h e n perhaps
at 5 1 mod N. If some
(atIq-t,
N)
qlt
can
is a n o n - t r i v i a l f a c t o r o f
N.
I see no p a r t i c u l a r advantage t o t h i s method over just combining t h e f a c t o r e d
congruences t o produce congruent s q u a r e s i n t h e Kraitchik scheme. I mention the
algorithm here because o f t h e v e r y simple way M i l l e r chooses t h e congruences
U E V mod N . Namely h e just p a r t i t i o n s
as
N
A+B, l e t t i n g
U = A , V =-B. There i s
an i n t e r e s t i n g unsolved problem o f ErdBs that s a y s t h a t f o r each
N
(E)
such t h a t f o r e a c h i n t e g e r
where no p r h e i n
A B
exceeds
N >N
(E)
t h e r e i s a p a r t i t i o n of
t h e r e is an
>O
N
as
A+B
NE. What we need i s an algorithmic s o l u t i o n o f
E r d k ' s problem t h a t g i v e s many such p a i r s
i t s e l f ) i s not so h a r d !
E
A , B . Perhaps t h i s problem (and f a c t o r i n g
173
SCHROEPPEL’S ASYMPMTIC ANALYSIS
In t h e l a t e 1970’s some important advances on f a c t o r i n g were made by Richard
Schroeppel. He never p u b l i s h e d h i s results, but t h e y have become known through copies
of h i s l e t t e r s and t h r o u g h second hand published accounts (e,g. C81 , c111). F i r s t ,
Schroeppel began the s y s t e m a t i c s t u d y o f t h e asymptotic running t h e o f f a c t o r i z a t i o n d g o r i t h m s i n t h e K r a i t c h i k family. Second, he found an algorithm i n t h e f d l y
where s t e p ( 2 ) c o u l d b e accomplished without time consuming t r i a l d i v i s i o n .
Schroeppel‘s a s y m p t o t i c a n a l y s i s hinged on t h e optimal choice o f t h e p a r a m e t e r ’
F means
F, t h e upper bound f o r t h e primes i n t h e f a c t o r base. A small choice of
only few f a c t o r e d congruences a r e necessary t o produce a l i n e a r dependency, b u t such
congruences a r e v e r y h a r d t o f i n d . With a l a r g e choice of
F t h e s i t u a t i o n i s re-
versed. Somewhere between “ l a r g e ” and “ s m a l l ” i s t h e optimal choice. Schroeppel
r e a l i z e d that t o s t u d y t h i s s i t u a t i o n asymptotically one needed t o use t h e f u n c t i o n
$ ( x , y ) -the number of i n t e g e r s up t o
f i c a l l y t h i s w a s needed w i t h
divided and
y =F. Thus
x
d i v i s i b l e by no prime exceeding y. Speci-
being t h e average s i z e of t h e r e s i d u e s b e i n g trial
x
$(x,y)/x
r e p r e s e n t s t h e “ p r o b a b i l i t y ” t h a t a r e s i d u e will
completely f a c t o r o v e r t h e f a c t o r base.
For example, suppose w e s t u d y t h e continued f r a c t i o n algorithm. Then t h e t Y pical
Qn w i l l be a p p r o x i m a t e l y
f a c t o r b a s e , t h e n we s h o u l d have
(N/p) 1 1
can d i v i d e a
8 ) -We
6. F u r t h e r ,
if
f rJF/2 l o g F
( o n l y those odd primes
i s t h e number of primes i n t h e
f
need t o o b t a i n about
p
with
completely f a c t o r e d
f
$‘s.
Thus we should expect t o have t o g e n e r a t e
f(@(G,F)/fi)-’ = ffi/$(fi,F)
values of
%
b e f o r e enough f a c t o r e d ones a r e found.. More, we need t o do about
f
t r i a l d i v i s i o n s on t h e a v e r a g e
s t e p s needed t o f a c t o r
N
Qn produced, s o t h e t o t a l number o f t r i a l d i v i s i o n
w i t h t h e continued f r a c t i o n algorithm should be about
f2fi/$(fi,F).
Ignoring o t h e r s t e p s i n t h e a l g o r i t h m , w e thus choose
F
so a s t o minimize t h i s
quantity. Schroeppel assumed t h a t
<(log
*)’-E
( a r e s u l t which w a s s u j s e q u e n t l y proved i n c 1 1 ) and found t h a t t h e optimal choice
1/JB+o( 1 1 where
of
F
is
L(N)
L(N) = exp(J1og
N log log
( n a t u r a l l o g s ) and t h a t t h e expected running time i s
argument i s o n l y he&Stic
Q,
a)
L(?T)fi+o(’). O f c o u r s e , t h i s
- f o r one, it i s assumed without proof t h a t t h e n m b e r s
f a c t o r over t h e p r l h e s t o
F
as f r e q u e n t l y a s random numbers of t h e same
174
approximate s i z e .
SCHROEPPEL'S LINEAR SIEVE
Schroeppel's new a l g o r i t h m w i t h by-passed trial d i v i s i o n i s a l s o i n K r a i t c h i k ' s
family. L e t
(2)
If
IAI,
IBI
are l e s s t h a n
N',
then
IS(A,B)I s2N
r e l a t i v e l y s m a l l , n o t much l a r g e r t h a n t h e
"'+'so that t h e
are
S(A,B)
8 ' s given by ( 1 ) . More, we e v i d e n t l y
have
S(A,B)
so t h a t we use these
tely factor t h e
T(A,B)'s.
I T(A,B) mod
N
as t h e congruences i n K r a i t c h i k ' s scheme. We attempt t o comple-
S(A,B)'s
o v e r a f a c t o r base, but we do not t r y t o f a c t o r t h e
Note t h a t ( 2 ) a l r e a d y g i v e s a p a r t i a l f a c t o r i z a t i o n of
t h u s arrange f o r a p r o d u c t o f
T(A,B)'s
t o be a square i f each
T ( A , B ) . We c o u l d
A
and each
used a n even number OP t i m e s i n t h e product. Thus w e t r e a t t h e v a r i a b l e s
is
B
as if
A,B
t h e y w e r e primes i n t h e Gaussian e l i m i n a t i o n s t e p .
Thus t h e Gaussian e l h i n a t i o n s t e p i s h a r d e r and t h e r e s i d u e s
S(A,B)
are a
b i t l a r g e r t h a n i n t h e c o n t i n u e d f r a c t i o n algorithm. There is an advantage h e r e ,
though, and it i s that t h e numbers
S(A,B)
The i d e a is t h a t f o r a f i x e d v a l u e
A.
for
can be factored uithout t r i a l d i v i s i o n .
A
we can l e t
B
r u n over c o n s e c u t i v e
i n t e g e r s . These numbers form a n a r i t h m e t i c progression, so that i f
pIS(Ao,Bo), t h e n
p{S(Ao,Bo+p) , p /S(Ao ,Bo+2p), e t c * That i s , w e know beforehand e x a c t l y which v a l u e s
of
B
have
S(Ao,B)
d i v i s i b l e by
p. No more do we need t o waste a t r i a l d i v i s i o n
s t e p on a number where the t r i a l d i v i s o r does not go.
Schroeppel's a s y m p t o t i c a n a l y s i s suggested t h e running time of h i s a l g o r i t h m
W ~ S L ( N ) '+O(').
However, h i s a n a l y s i s neglected t h e time for t h e Gaussian elimina-
t i o n . This i s not a m i s t a k e i n t h e continued f r a c t i o n algorithm a n a l y s i s because it
r e a l l y t a k e s less t h e t h a n t h e t r i a l d i v i s i o n s t e p . But i n Schroeppel's a l g o r i t h m
we have given t h e Gaussian e l i m i n a t i o n a l a r g e r t a s k t o accomplish and it c a n b e
shown ( h e u r i s t i c a l l y ) t h a t it takes
L(N)3'2+0(')
s t e p s , worse t h a n t h e r u n n i n g
time of t h e continued f r a c t i o n algorithm.
THE QUADRATIC SIEVE
In 1981 I s u g g e s t e d t a k i n g A = B
i n Schroeppel's l i n e a r s i e v e a l g o r i t h m ,
c a l l i n g t h e r e s u l t i n g method t h e q u a d r a t i c s i e v e algorithm. This simple move changes
things drastically. Let
(3)
Q(A) = S(A,A) = (LfiJ+A)2
-N,
175
Thus w e a r e back i n the game of producing quadratic residues as i n t h e continued
f r a c t i o n algorithm, s o t h e Gaussian e l i m i n a t i o n s t e p should not b e a major hiffic u l t y . In a d d i t i o n , we can s t i l l s i e v e as Schroeppel did. If
plQ(Ao+p), pIQ(Ao+2p), e t c . T h i s p r o p e r t y of t h e function
FIQ(A ), t h e n
0
Q(A)
follows f r o m t h e
f a c t t h a t it i s a polynomial w i t h i n t e g e r c o e f f i c i e n t s . H e u r i s t i c a l l y , t h e running
time f o r t h e a l g o r i t h m i s
including t h e matrix s t e p , an improvement
L ( N ) m+O(l),
over t h e continued f r a c t i o n algorithm. This a n a l y s i s and a d e s c r i p t i o n of t h e algorithm i s found i n C111.
The i d e a i n ( 3 ) i s t o choose
A
with
Q(A) =
IAl <NE. Since f o r s m a l l
A
w e have
an,
1 Q ( A ) I 52N1’2+E, as w i t h Schroeppel. It i s amusing t o n o t e t h a t M e
We t h u s have
method (3) of choosing q u a d r a t i c r e s i d u e s
mod N
i s very s i m i l a r t o t h a t of
Q a i t c h i k d i s c u s s e e above.
There i s a d i f f e r e n c e though. Kraitchik c a r e f u l l y prepa-
r e d values of
x2-N
x
so that
t e l y choose a l l v a l u e s o f
had a l a r g e square f a c t o r . I n (3) we i n d i s c r i m i n a -
fi.
near
x
The advantage i s c l e a r , because now we can use a sieve. For each odd prime
i s i n t h e f a c t o r base if
i n the factor base (p
p
(N/p) = 1 ) we solve t h e q u a d r a t i c
congruence
( L f i J + A ) * z N mod p,
A(’),
A$’)
( f o r p=2, s p e c i a l treatment i s r e q u i r e d ) . We
1
then compute v e r y c r u d e l o g s o f each o f t h e Q ( A ) f o r A i n a long i n t e r v a l ( t h e s e
labelling the solutions
l o g s are a l l approximately e q u a l ) . These l o g s a r e s t o r e d i n an a r r a y indexed by t h e
values of
A. We t h e n p u l l o u t each l o g t h a t has i t s index
and s u b t r a c t
log p
from t h e number i n t h e l o c a t i o n . (Again, l o g p
s i o n l o g ) . T h i s i s done f o r each
p
Q(A)
A$)
mod P
is a l o w preci-
i n t h e f a c t o r base and for some o f the h i g h e r
t h a t a r e c l o s e t o 0. These l o c a t i o n s correspond t o values of
course, very few n m k e r s
or
p. A t t h e end, we scan t h e a r r a y f o r r e s i d u a l logs
powers of t h e s m a l l e r primes
f a c t o r e d . The number
A :A!’)
&(A)
t h a t completely
may now b e computed and factored by t r i a l d i v i s i o n . Of
$(A)
completely f a c t o r , so t h e amount of t r i a l d i v i s i o n
i n t h e algorithm i s n e g l i g i b l e . Note t h a t not only does t h e q u a d r a t i c sieve alga-
rithm have a s y m p t o t i c a l l y fewer s t e p s than t h e continued f r a c t i o n a l g o r i t h m , b u t
each s t e p i s s i m p l e r . I n t h e q u a d r a t i c s i e v e a t y p i c a l s t e p is a s i n g l e p r e c i s i o n
subtraction
, while
i n t h e continued f r a c t i o n algorithm a t y p i c a l s t e p i s a d i v i d e
with remainder o f a s i n g l e p r e c i s i o n i n t e g e r i n t o a long dividend.
Asymptotic-y,
t h e a l g o r i t h m o f Schnorr and Lenstra El31 (which i s n o t i n t h e
Kraitchik f a m i l y ) s h o u l d be f a s t e r than t h e quadratic sieve : i t s h e u r i s t i c run t i m e
is
L ( N ) l+O(l).
However it h a s not y e t proved computer p r a c t i c a l and t h e c r o s s o v e r
Point may be v e r y l a r g e . A t y p i c a l s t e p i n t h e Schnorr -Lenstra algorithm i s comps i t i o n of binal-1 q a d r a t i c forms w i t h multi-precision e n t r i e s and f i n d i n g a reduced
form i n t h e c l a s s .
176
TIIE DAVIS VARIATION
Davis and Holdridge c21 have w r i t t e n a very c l e a r a r t i c l e on t h e implementat i o n of t h e q u a d r a t i c s i e v e a l g o r i t h m and t h e r e i s no need t o d u p l i c e t e t h e i r work
here. But I would l i k e t o mention a n important.improvement Davis made on t h e method.
It seems c l e a r t h a t the q u a d r a t i c s i e v e algorithm majorizes t h e continued f r a c t i o n
algorithm i n every r e s p e c t b u t i n t h e s i z e of t h e quadratic residues. Namely, i n t h e
'$1
l a t t e r method, each
a r e about
N1 /2+E
is less than
(where
2 f i b u t i n t h e former, t h e numbers
i s small and tends t o 0 slowly as
>O
E
N ->-).
I
lQ(A)
Of
course, t h e l a r g e r t h e r e s i d u e , t h e less l i k e l y it i s t o f a c t o r over t h e f a c t o r base.
The Davis v a r i a t i o n is simply t o s i e v e over various a r i t h m e t i c p r o g r e s s i o n s of
A's
so t h a t t h e
Q(A)'s
a r e g u a r a n t e e d t o have a f i x e d f a c t o r . S p e c i f i c a l l y , i f
is some l a r g e prime not i n the f a c t o r b a s e and
d i v i d e s every
plQ(A )
where
0 <Ao < p , t h e n
p
p
Q(Ao+Ap) as noted b e f o r e . L e t
Q ~ ( A )= Q ( A ~ + A P ) .
so t h a t a f t e r t h e known f a c t o r
p i s divided out of Q ( A ) , t h e c o f a c t o r is about
P
Q(A). Thus i n s t e a d o f having j u s t one polynomial t o work w i t h , w e
t h e same s i z e as
have a l a r g e family of polynomials -one ( i n f a c t , two) f o r each p o s s i b l e
p. F o r
each
k
p
used w e c o n s i d e r
red v a l u e s of
Q (A)
P
p
as a new prime i n t h e f a c t o r base. Thus i f
a r e found, a f t e r e l i m i n a t i n g
p
we have
k-1
facto-
vectors l e f t
over t h e o r i g i n a l f a c t o r b a s e . However, Davis avoids l o s i n g even one v e c t o r . H e
does t h i s by f i n d i n g a f a c t o r e d
Q (A)
P
follows. If i n t h e o r i g i n a l polynomial
f o r "free". This magic i s accomplished as
$(A)
a l o c a t i o n A1
where t h e r e s i d u a l l o g is n o t n e a r 0 , b u t l e s s than
&(A1)
i s found a f t e r s i e v i n g
2logF, then t h e c o f a c t o r a f t e r
is d i v i d e d by a l l p r i z e s i n t h e f a c t o r base i s a prime
t h u s use t h i s
p
t o form
Q (A)
P
( a n d we can choose
A EA
0
p
with
F < p <F2. W e
mod p ) . We s t a r t w i t h
1
one f a c t o r e d value b e f o r e s i e v i n g t h e new polynomial, so any new f a c t o r e d v a l u e s
found a r e all t o t h e good.
TH2 MONTGOMERY VARIATION
Independently of Davis,
f a r f i g h t i n g t h e dri't
P e t e r Montgomery C91 has come up w i t h a n o t h e r s t r a t e g y
t o i n f i n i t y of t h e quadratic residues
t a i l o r makes polynomials t o custom f i t not only t h e number
Q ( A ) . H i s method
N
t o be f a c t o r e d , b u t
t h e l e n g t h of t h e i n t e r v a l we s i e v e over before we change polynomials.
177
Suppose we s i e v e over i n t e r v a l s of length
2M
before we change p o l p & d S .
We a r e looking f o r polynomials
F ( x ) = ax2+2bx+c
where
N1b2-ac,
f o r then
a F ( x ) = a2X2+2abx+ac = (ax+b)' -(b2-ac)
(4)
(ax+bI2 nod N.
3
F(x) t o be small i n absolute value on
Further, we would l i k e t h e values of
2M. It t h u s seems reasonable t o center t h i s i n t e r v a l on t h e
i n t e r v a l of length
vertex of t h e parabola
F(x) -so we specify t h e i n t e r v a l as
I = (-b/a-M,
and choose
-b/a+M)
so that
a,b,c
F(-b/a-M) = F(-b/a+M).
-F(-b/a)
To be s p e c i f i c , we choose
a,b,c
so that
.
b2-ac = N
(5)
Then from
(41,
-aF(-b/a)
Thus w e should choose
a
= N, aF(-b/a-M) = aF(-b/a+M) = a2M2-N.
so t h a t
N =a2M2-N, i . e . ,
Montgomery suggests then t h a t w e decide f i r s t on
sieved. Next an i n t e g e r
a
2M, the length of t h e i n t e r v a l
is chosen s a t i s f y i n g ( 6 ) and then integers b and c
a r e found s a t i s f y i n g ( 5 ) . (For example, we could choose
( N / a ) = I . Then t h e quadratic congruence
chosen as
fLn
b2 Z N mod a
a
as a prime s a t i s f y i n g
is solved f o r
b
and
is
c
(b2-N)/a).
We thus have constructed a quadratic polynomial
F(x) so t h a t on t h e i n t e r v a l
I
This i s b e t t e r than t h e polynomials
&(A)
and
t h e i r a b s o l u t e values a r e bounded by
(-M,M)
residues a r e about
B ( A ) / p . For them on t h e i n t e r v a l
2
M
a
. Thus the l a r g e s t of Montgomery's
2 f i times smaller and so somewhat more l i k e l y t o f a c t o r Over
t h e f a c t o r base.
Here i s a n i d e a which should improve Montgomery's basic plan. If
of
F(x)
k 21
a r e found which f a c t o r over the f a c t o r base, we only end up with
vectors because t h e f a c t o r
could be s e r i o u s
i,9
a
m u s t be eliminated from the congruences (4).
the expected value of
t h e r a r e instances w e had
k
values
k-1
This
were much smaller than 1 , f o r t h e n i n
k > O , it would be l i k e l y t h a t
k =1
and nothing w o u l d
178
-
b e gained. To s o l v e t h i s problem, w e choose
and
(N/g) = l
nate
gzJa/M.
a =g2 where
g
is a prime with
Then e v e r y t h i n g i s as before, but we do not have t o e l h i -
from ( 4 ) b e c a u s e it i s a square. All f a c t o r e d values of
a
F(x) are now t o
t h e good.
The q u a d r a t i c congruence
(7 1
b2 E N mod g2
g E 3 mod
can b e solved v e r y simply i f
4
(N/g) = l . Just t a k e
and
b = N (g2-g+2)/4mod g2.
This involves a r i t h m e t i c
mod g2. I n s t e a d , by f i r s t solving ( 7 ) mod g
by taking
=N(g+’)’4mod g and n e x t determine x so t h a t (b,+xg)2 Z N mod g2, all of the
1a r i t h m e t i c c a n b e done mod g. ( T h i s i d e a w a s suggested by Wagstaff -it i s an elemen-
b
t a r y a p p l i c a t i o n of H e n s e l ’ s lemma),
Above we chose a s a t i s f y i n g ( 6 ) t o minimize t h e m a x b value of
IF(x)l
I. I n s t e a d , it may b e nore a p p r o p r i a t e t o minimize t h e auemge value of
on
IF(x)l.
For t h i s we should choose
a zj
(1.5127453)fi/M.
However, it probably m a k e s v e r y l i t t l e d i f f e r e n c e whether we
choose
a
by t h i s
scheme o r by ( 6 ) .
I n t h e implementation of Montgomery’s v a r i a t i o n (which has not y e t been done)
one should compute how c o s t l y it i s t o produce new polynomials
c o s t l y , a l a r g e r v a l u e should be chosen f o r
value should be chosen f o r
M.
F(x). If it is very
M ; i f it i s not so c o s t l y , a smaller
That i s , we should s i e v e over as short an i n t e r v a l
as p o s s i b l e , where t h e overhead o f producing new polynomials and computing t h e
s t a r t i n g p o i n t s f o r each prime used i n t h e s i e v e says it should not be too short.
L4RGE PRIMZ VARIATION
In El11 t h e l a r g e prime v a r i a t i o n was suggested f o r t h e q u a d r a t i c s i e v e . This
v a r i a t i o n i s commonly used w i t h t h e continued f r a c t i o n dlgorithm. As mentioned
above, i f t h e r e s i d u a l l o g a f t e r s i e v i n g i s not c l o s e t o 0 , b u t l e s s t h a n
2 logF,
t h e n we have produced a q u a d r a t i c r e s i d u e t h a t completely f a c t o r s over t h e f a c t o r
base except f o r one l a r g e p r i n e f a c t o r
t h i s information f o r :‘ree,but
prime
p
p
with
F < p <F2. Not c n l y do we r e c e i v e
such r e s i d u e s a r e simple t o process. I f t h e l a r g e
i s never s e e n a g a i n i n a n o t h e r f a c t o r e d residue, it i s u s e l e s s f o r us and
t h i s l i n e may b e d i s c a r d e d . I f it appears
l e f t with
k-1
t h e event
k 12
k times, we caa e l i m i n a t e i t , being
v e c t o r s over t h e f a c t o r base. The “birthday paradox” s u g g e s t s t h a t
w i l l n o t b e t h a t uncommon.
179
If t h i s method i s used t o g e t h e r with t h e Davis v a r i a t i o n , another method
Q (A). W
e can i n s t e a d use ( 7 ) . L e t
P
(N/g) =1. I f b i s t h e s o l u t i o n o f (71,
should b e used t o produce t h e polynomials
g E 3 mod 4
g >F be a prime with
we l e t
A.
and
mod g 2 . Then w e can use t h e polynomial
=b-L&J
Qg2(A) = Q(Ao+g2A)
i n t h e Davis v a r i a t i o n . (We c a n a l s o use
A.
z-b-LJumod
g2).
Every value f a c t o r e d o v e r t h e f a c t o r base i s u s e f u l and we can use t h e large prime
v a r i a t i o n on a l l of t h e
Q 2(A) f o r various choices of g2. Note t h a t there i s l e s s
g
overhead with producing t h e polynomials Q g 2 ( A ) than t h e P(x] i n Montgomery's
v a r i a t i o n because
c a n be chosen s m a l l e r with Davis.
g
SMALL MODULI
I n trial d i v i s < o n it t a k e s j u s t as long t o t e s t d i v i s i b i l i t y by 3 as by 101.
But s i e v i n g by 3 t a k e s 101/3 t i m e s Longer than 101 s i n c e it has more f r e q u e n t "hits':
Thus a c o n s i d e r a b l e p e r c e n t a g e o f s i e v i n g time i s spent with t h e very s m a l l e s t mod u l i . This seems a waste s i n c e t h e s e s m a l l moduli c o n t r i b u t e t h e l e a s t i n f o r m a t i o n .
One i d e a i s t o s k i p s i e v i n g w i t h them completely. Say we do not s i e v e w i t h any modul u s below 30. Then i f 3 i s i n t h e f a c t o r base, f o r example, we w i l l not s i e v e
mod 9 , nor
mod 27. But w e will s i e v e
l o g 3 ) at h i t s f o r t h i s modulus. I f
moduli skipped and i f
mod 81, s u b t r a c t i n g
4 log3
P is t h e product of t h e h i g h e s t powers of t h e
P <F, t h e n w e l o s e nothing by t h i s s t r a t e g y . Indeed, the ma-
ximal e r r o r i n t r o d u c e d i n s k i p p i n g t h e small moduli is at most
i f t h e ' r e s i d u a l log is l e s s t h a n
log P < l o g F. Thus
log F t h e number has factored completely a n d
every completely f a c t o r e d number w i l l have a r e s i d u a l l o g l e s s t h a n
If t h i s i d e a p r o v e s good, one might " l i v e dangerously" and l e t
bigger t h a n
mod 3 ,
( i n s t e a d of
F. I n f a c t i f w e l e t
P
be around
l o g F.
P
b e somewhat
F2 and use t h e l a r g e prime varia-
t i o n t o o , t h e o n l y r e s i d u e s l o s t w i l l be some of t h e r e s i d u e s which f a c t o r e d w i t h a
l a r g e prime. O f c o u r s e , you may p r e f e r not t o l o s e anything.
USE OF A MULTIPLIER
The f a c t o r base f o r
primes
p SF
with
i n t h e q u a d r a t i c sieve algorithm c o n s i s t s of t h o s e
N
~ = 2o r
(N/p) = I .
small p o s i t i v e square-:reeinteger
If we replace
N
by
then t h e f a c t o r b a s e changes. The expected c o n t r i b u t i o n t o
power of
p
in
x2-x R
1N
where
X
( K r a i t c h i k again -see [ k ] , p. 208 and [5],
log(x2-A N )
is a
Ch. 2)
by the
is
Ep = (2 l o g p ) / ( p - l )
if x
i s a randon i n t e g e r and
(X N / p ) =l. For p=2 t h e expected c o n t r i b u t i o n is
180
1'
-log
E2 =
2
log 2
2 log2
If
plX
t h e expected
value of
X
SO
contribution
,
if
X Nz3 mod 4
,
,
if
A Nr5 mod 8
if
X N E l mod 8.
E
P
is
( l o g p)/p. Thus we wish t o choose the
as t o maximize t h e f u n c t i o n
where t h e sum i s o v e r t h o s e primes
p fF
with
p=2, (X N/p) = 1 , o r
PIX. This
function i s very similar t o one a s s o c i a t e d with t h e continued f r a c t i o n a l g o r i t h m
( s e e C31, p. 391, Ex. 28 or C121).
S P E C I A L PURPOSE PROCESSORS
J.W. Smith, S.S. U a g s t a f f , Jr., and I have discussed t h e f e a s i b i l i t y of
b u i l d i n g a s p e c i a l purpose p r o c e s s o r t o implement t h e quadratic s i e v e algorithm. W e
a r e encouraged by t h e p r o s p e c t s . For a budget of perhaps ft25,OOOin p a r t s , we b e l i e v e
a "quadratic s i e v e r " c o u l d b e b u i l t t h a t would r i v a l a Cray i n speed. For t e n o r
twenty times as much money a machine could be b u i l t t h a t could f a c t o r 100 d i g i t
numbers i n a month. Perhaps t h e s e f i g u r e s a r e way off, it i s hard t o t e l l
unless
one t r i e s .
The b a s i c i d e a of t h e " a u a d r a t i c s i e v e r " would be t o c o n s t r u c t a sequence o f
16x
4K units each of which would s i e v e over an i n t e r v a l of l e n g t h 4096. The largest
moduli ( f a s t e s t t h r o u g h t h e s i e v e ) would b e s t a r t e d one a f t e r t h e a t h e r through the
sequence
Of
units. There-would never be i n t e r f e r e n c e o f moduli because we have l e t
the f a s t e s t racers start f i r s t .
Another i d e a is t o u s e many unextraordinary computers each using a d i f f e r e n t
batch of polynomials w i t h one c e n t r a l computer which i s fed t h e f a c t o r e d r e s i d u e s .
With a l l o f t h e s e i d e a s w e may begin t o approach t h e 100 d i g i t l e v e l i n
faCt0-
ring. But 150 d i g i t numbers should be about 100,000 times harder and it seems clear
t h a t c u r r e n t methodology is i n s u f f i c i e n t f o r f a c t o r i n g such huge numbers. However,
u n t i l someone proves tLAt f a c t o r i n g must be hard, t h e r e w i l l always be some doubt
about t h e s e c u r i t y of 3 S A . When R S A w a s introduced 40 d i g i t numbers were c o n s i dered hard t o f a c t o r , w'aile now we a r e doing 70 d i g i t numbers and t a l k i n g about
100 d i g i t numbers. As always, t h e f u t u r e is hard t o p r e d i c t .
181
ACKNOWLEDGEMEXTS
I would l i k e t o t h a n k t h e Dgpartement de Mathhatiques-Informatique a t t h e
U.E.R.
des Sciences d e Limoges f o r t h e i r h o s p i t a l i t y while t h i s paper w a s w r i t t e n -
I would a l s o l i k e t o t h a n k H.J.J,
t e R i e l e f o r helping me t r a c k down t h e K r a i t c h i k
references and P e t e r Montgomery f o r h i s kind permission t o d e s c r i b e h i s improvement
t o t h e q u a d r a t i c s i e v e alogorithm.
El1
E.R.
C a n f i e l d , P. ErdZjs and C , Pomerance, On a problem of Oppenheim
concerning " F a c t o r i s a t i o Numerorum", J. Number Theory, 17 (1983) , 1-28.
c21
J.A.
Davis and D.B.
Holdridge, F a c t o r i z a t i o n *sing t h e q u a d r a t i c s i e v e
algorithm, Sandia Report Sand 83-1 346, Sandia National Laboratories, Albuquerque,
New Mexico, 1983.
C31
D.E.
Knuth, The A r t o f Computer Programming, vol. 2, Seminumerical
Algorithms, 2nd e d i t i o n , Addison Wesley, Reading, Mass., 1981
, Paris,
C41
M. K r a i t c h i k , Thgorie d e s Nombres, Tome 11, Gauthier-Villars
C51
M. K r a i t c h i k , R e c h e r c h s u r l a ThEorie des Noabres, Tome 11, F a c t o r i s a -
1926
tion, Gauthier-Villars,
C61
D.H.
P a r i s , 1929.
Lehmer and R.E.
Powers, On f a c t o r i n g l a r g e numbers, B u l l . h e r .
Math. Soc. 37 (1931), 770-776.
J.C.P.
[TI
M i l l e r , On f a c t o r i s a t i o n with a suggested new approach, Math.
Comp. 29 (1975), 155-772.
L. Monier, Algorithmes d e f a c t o r i s a t i o n d ' e n t i e r s , t d s e de 3e Cycle,
C81
Orsay (1980).
C91
P. Montgome-ry, p r i v a t e communication.
M.A.
[lo]
t i o n of
(1
F
11
7'
Morrison and J. B r i l l h a r t , A method of f a c t o r i n g and t h e f a c t o r i z a -
Math. Comp. 29 (1975), 183-205.
C. Pomerance, Analysis and comparison of some i n t e g e r f a c t o r i n g a l g o r i -
thms, i n Computational Methods i n Number Theory, H.W.
eds.,
Math. Centrum T r a c t 154 (1982), 89-139.
Lenstra, Jr. and R. Tiideman,
182
[12]
C. Pomerance and S.S.
Wagstaff, Jr., Implementation of t h e continued
f r a c t i o n algorithm, Cow. N u m e r a n t i u m 37 ( 1 9 8 3 ) , 99-1 18.
C131 C.P. Schnorr and H.W.
L e n s t r a , J r . , A Monte C a r 1 0 f a c t o r i n g a l g o r i t h m
with f i n i t e s t o r a g e , p r e p r i n t .
[I41
M.C. Wunderlich, A r e p o r t on t h e f a c t o r i z a t i o n of 2797 numbers using
t h e continued f r a c t i o n a l g o r i t h m , unpublished manuscript.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz